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Petri net unfoldings are a useful tool to tackle state-space explosion in verification and related tasks. 
Moreover, their structure allows to access directly the relations of causal precedence, concurrency, 
and conflict between events. Here, we explore the data structure further, to determine the following 
relation: event a is said to reveal event b iff the occurrence of a implies that b inevitably occurs, too, 
be it before, after, or concurrently with a. Knowledge of reveals facilitates in particular the analysis of 
partially observable systems, in the context of diagnosis, testing, or verification; it can also be used 
to generate more concise representations of behaviours via abstractions. The reveals relation was 
previously introduced in the context of fault diagnosis, where it was shown that the reveals relation 
was decidable: for a given pair a, b in the unfolding U of a safe Petri net N, a finite prefix P of U is 
sufficient to decide whether or not a reveals b. In this paper, we first considerably improve the bound 
on \P\. We then show that there exists an efficient algorithm for computing the relation on a given 
prefix. We have implemented the algorithm and report on experiments. 



Topics: Structure and behaviour of Petri Nets; partial-order theory of concurrency; automatic analysis 



1 Introduction 

Petri nets (see e.g. lfT5l[T4l ) and their partial-order unfoldings lfT3l l4l [T2t have long been used in model 
checking. Their crucial feature is the partial-order representation of concurrency, allowing to escape 
from the state-space-explosion problem that is brought about by the use of interleaving semantics Q. 

In this paper, we will focus on the problem of determining the following relation: an event a is said to 
reveal another event b iff, whenever a occurs, the occurrence of b is inevitable. This does not imply that a 
and b are causally related (though they may be); in fact, b may have occurred before a, lie in the future of 
a, or even be concurrent to a. To some degree, this relation is complementary to the well-known conflict 
relation: a and b are in conflict if the occurrence of a implies that the occurrence of b is impossible. 
Notice however that the conflict relation is symmetric while reveals is not. 

We further emphasize that the reveals relation is essentially a non-temporal relation, as opposed to 
temporal properties or the synchronic distance of e.g. I71 [161IT81 . The latter measures the quantitative 
degree of independency in the repeated occurrences of two net transitions, whereas a>b holds if and only 
if event a implies event b. 

The reveals relation was first introduced in (9[ ; more properties and discussions of its applications 
are given in ifTTI . An important motivation for studying reveals lies in the partial observability of many 
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systems in applications such as those related to fault diagnosis. The idea is that a>b implies that it suffices 
to observe a to infer occurrence of b; conversely, b does not have to be observable itself, provided a or 
any other event that reveals b is observable. 

This binary relation is the topic of the present article. Recently, |T] gave generalizations that include a 
reveals relation connecting pairs of sets of events; however, even in this general setting the binary relation 
turns out to play a central role. Its exploration and effective computation remains therefore an important 
task, not only for the structural theory. In fact, > is relevant in general for opacity-related properties and 
tasks concerning concurrent systems; potential and actual applications include verification diagnosability 
(see [TTlfTOlO and other properties, conformance testing, synthesis of controllers and adaptors. 

Concerning the task at hand, note that it was shown in IfTTl that the reveals relation can be effectively 
computed for unfoldings of safe nets. For each pair of events (a,b), a suitable finite prefix whose height 
exceeds that of a and b by at most a uniform bound, is sufficient to verify if a reveals b. Here, we make 
the following contributions: 

• We considerably improve the bound on the size of the finite prefix needed to decide whether a 
reveals b. While the previous bound seemed to make this decision impracticable, the new bound 
gives much more hope to determine the relation in practice. 

• Motivated by this, we discuss an efficient algorithm that computes the entire reveals relation within 
a given prefix. The algorithm can be implemented completely with bitset operations. 

• We have implemented the algorithm and report on experiments, notably on the following questions: 
how big is the prefix necessary to determine the reveals relation, and how much time does it take 
to compute said relation on a given prefix? Concerning the second question, the algorithm turns 
out to be suitably fast; it works on prefixes with tens of thousands of events in a few seconds, and 
usually takes less time than the actual construction of the prefix. 

We proceed as follows: Section [2] introduces Petri nets, their unfoldings, the reveals relation, and 
some of its salient properties. Section|3]gives the new bound on the size of the prefix. Section[4]presents 
an algorithm for computing reveals on a given prefix, and Section [5] presents the experiments. We 
conclude in Section [6] 

2 Definitions 

This section introduces central definitions and facts about Petri nets, their unfoldings, and the reveals 
relation. While most definitions and some results would be valid in the case of Petri nets that are bounded, 
but not 1 -bounded, our main interest is in 1 -bounded (aka safe) nets. Moreover, lifting to non-safe nets 
brings little additional insight but makes arguments much more technical and cumbersome; we therefore 
chose to focus on safe nets. 

2.1 Petri nets 

A Petri net is a triple N = (P, T,F,Mq), where P and T are disjoint sets of places and transitions, respec- 
tively, and F C (P x T) U (T x P) is the flow relation. Any function M:P — > N is called a marking, and 
Mo is the initial marking. By node, we shall mean an element from the set PL) T. 

In figures (e.g., the left-hand side of Figure [TJ, circles represent places, rectangular boxes represent 
transitions, and directed edges represent F. A marking M is represented by black tokens. 
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For a node x, call *x := {x' \ (x',x) 6F} the preset, and x* := {x' \ (x,x') G F} the postset of x. 
Moreover, for any set X C P U T, set 

'X := [J *x and X* := [J x' . 

xex xex 

Transitions induce a firing relation among markings, as follows: Let M,M' be markings and t a transition. 
Then we write M M 1 iff M{p) > 1 for every pe't and M'(/?) = M(p) -1 if p e't\t', M'(p) = 
M{p) + 1 if p £ t* \ °t, and M'(p) = M(p) otherwise. In words, we also say that t is enabled in M, and 
that firing it leads to M'. 

A finite sequence a := t\ . . .tk of transitions is a ran iff Mq Mi • • • — M,t for some markings 
M\,... ,Mk\ if such a run exists, then is said to be reachable. The set of reachable markings is denoted 
R(A^). A net is said to be safe if no reachable marking puts more than one token into any place. As 
explained above, all the nets we are interested in will be safe. Thus, we shall henceforth treat markings 
as subsets of P. 

An infinite sequence ?i?2 • • • is called a run if every prefix of it is one. We say that a run a is fair iff 

• either a is finite, and in the marking reached by a, no transition is enabled; 

• or a = t\t% . . . is infinite, where M\,M2, ... are the markings generated by firing a, and there exists 
no pair t G T and i > 1 such that t is enabled in all M^, k > i and t ^ tk for all k > i. 

In other words, a fair run cannot delay firing an enabled transition forever. 
2.2 Occurrence nets 

Occurrence nets are a specific type of acyclic Petri net. Keeping with tradition, we shall call the places of 
an occurrence net conditions and its transitions events. Fix a safe Petri net O = (C,E,F,Co) for the rest 
of this subsection. We let < denote the transitive closure of F and < the reflexive closure of < ; further, 
if e 6 E is an event, let [Y| := {e' £ E \ e' < e} be the cone of e, and [e\ := \e] \ {e} the pre-cone of e. 

Two nodes x, x' are in conflict, written x#x' if there exist e, e' G E such that (i) e ^ e' , ( ii) *e n 'e' ^ 0, 
and ( Hi) e < x and e' < x'. 

O is called an occurrence net if it satisfies the following properties: 

1. no self-conflict: \/x G CU E:-<(x#x); 

2. < is acyclic, i.e. < is a partial order; 

3. finite cones: all events e satisfy | [Y| | < °°; 

4. no backward branching: all conditions c satisfy |*c| < 1; 

5. Co C C is the set of < -minimal nodes. 

Example 1 The right hand side of Figure [7] shows an occurrence net. The events a and c are both in 
conflict with b, yet not with one another; in fact, they are concurrent (neither ordered nor in conflict). 

Let O = (C,E,F,Co) be an occurrence net. We call O' = (C ,E' ,F' ,Co) a prefix of O if 

• C'CC, E'<ZE, F' = Fn (C U E'f, and moreover C'D C U {E')'\ 

• C' and E' are downward-closed, i.e. for any i£C'U£' and y < x we have y G C U E'. 
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Figure 1 : A Petri net (left) and a prefix of its unfolding (right) 



A prefix is called finite if C and E' are finite sets. Notice that each prefix is uniquely determined by its 
set of events. We denote by 0[E'] the unique prefix of O whose set of events is E'. 

Let C E be a downward-closed and conflict-free set of events, that is, e £ 'tf and d < e imply 
d £ 'tf, and e,e' G ^€ implies ->(e#d). Then we call *rf a configuration of O. Given a configuration ff, 
we define Cut(^€) to be the set of <-maximal conditions of 0\€\. Moreover we define the postfix ()/<% 
to be the occurrence net (C" ,E" ,F" ,C£), where C" = C\"tf, E" =E\ t €, F" = F n (C U£") 2 , and 
C ' = CMf(^). 

If ^ is a finite configuration ande 6 £ \ ^ an event such that 'e C Cut^). In this case, if' := c toVJ{e} 
is a configuration, and we write ^ or ^ < ^'. By extension, for a finite configuration ^ and a set 

A = {e\ ,e n } of events, we write r tf c tf' iff there exist ^o> • ■ • j su ch that = ^> %i = and 
for all i = 1, ... , n, %-\ & %. We write if C if' if there exists a set A such that ^ ~> . 
The following facts are well-known, see e.g. ||3j|4): 

• A downward-closed set ^ C £ is a configuration iff the elements of if can be arranged to form a 
run a of O. We have that a is fair iff is maximal. Moreover, if if is finite, then a leads from Co 
to Cutiff). 

• For every event e, \e] and [ej are configurations. 

• Let c,c' € C be a pair of conditions. Then exactly one of the following three statements holds: 

- c and d are causally related, i.e. c < d or c' < c; 

- c and c' are in conflict, i.e. c#c'; 

- c and c' are called concurrent, written c co c', i.e. there exists a configuration if such that 

{c,c'} C Cwf(if). 

A set of pairwise concurrent places is called a co-set. 



S. Haar, C. Kern, S. Schwoon 



35 



2.3 Unfoldings 

Let N = (P, T,F,Mq) be a safe Petri net. Intuitively, an unfolding of N is an acyclic version of N where 
loops of N are "unrolled"; an unfolding is usually infinite even if N is finite. 

Formally, U = (C,E,G,Cq) is called an unfolding of N if U is an occurrence net equipped with a 
mapping /: (CUE) — > (PUT), which we extend to sets and sequences in the usual way. We shall write 
f:A «->• B if the restriction of / to A yields a bijection between A and B. Then U is the unfolding of ./V if 
the following properties hold: 

• f(C) C P, f(E) C T, and f:C M ; 

• for every co-set D C C and transition t G T such that f:D <-t't, there is exactly one event e € E 
with /(e) = t and *e = D; 

• if f(e) = t for some event e, then f:'e -B- "f and -R- f*. 

With every configuration ffofU we associate the marking Markiftf) := {/(c) | c G Cut(f€) }. 

Example 2 Figure^shows a net N on the left and prefix of its unfolding on the right; the function f is 
reflected in the inscriptions. It is well-known ft3\ @/ that M is a reachable marking in N iff there exists a 
configuration ^ofU such that Mark(f€) = M. Moreover, if o is a run corresponding to c €, then f(o) 
leads from Mq to M in N. It is in this sense that U mimics the behaviour ofN. 

A prefix U' of U is called complete if it "contains" every marking of N, i.e. for every reachable 
marking M £ R(Af) there exists a configuration ^ of U' such that Markif€) = M. It is well-known that 
for any configuration c tf, the postfix U/<gis isomorphic to the unfolding of the net (P, J \F,Mark(f€f). 

2.4 The "reveals" relation 

To illustrate "reveals" we shall study the occurrence net in Figure|2| We are interested in finding relations 
between events of the form 'if x occurs, then y has already occurred, or will occur eventually' , in the sense 
that any fair run that contains x also contains y. In other words, this means that y is inevitable given x. 
In the context of Figure|2| it is obvious that, for any fair run a, 

k£ a =>- e G a ==> b G a, 

where we use k G a etc informally to mean that k occurs somewhere in a. In fact, the statement above 
simply reflects the causal relationship; if k happens, then surely its cause e must have happened before. 
But one also obtains the following facts in Figure |2j again for fair runs a: 

a G a <^=> -^(b G a) <^=^> c G a and c G a <^=> g G a. 

In fact, a, c are a pair of independent transitions which can happen concurrently, where as c is a causal 
predecessor of g and yet allows to determine that g will eventually happen. The reader is invited to check 
that these relations follow from the fairness of runs. We thus define our desired relation as follows: 

Definition 1 Let O be an occurrence net and c,c' be two of its events. We say that e reveals e', written 
e>e', iff for all fair runs o ofO e G CJ implies e 1 G CJ. The revealed range of event e is >[e] := { e' \ e\>e' }. 

Notice that the definition immediately implies that > is reflexive and transitive. Moreover, there is 
a reveals relationship along causal successors, i.e. if a < b, then b>a. The relation > is not symmetric 
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Figure 2: Example of an occurrence net 

in general: in fact, in Figure [2] we have h>e but -<(e>h). On the other hand, > is not a partial order: 
consider e>f and / >e in Figure [2] 

These examples show that the inheritance of conflict along causality relations is not sufficient to 
derive the statements above. One might therefore suspect that, to obtain the above facts one would have 
to explore the entire set of configurations. However, the following is known: 

Lemma 1 ([9,, 11 1) For an event e, its conflict set is defined as #[e] :={e' \ e#e' }. We have that e>e' iff 
#[e] 5 #[e'\. 

Thus, in principle all it takes to see if e >e' holds is to check whether no witness against it exists for 
(e,e')\ we call g a witness for the tuple (e,e') if ->(e#g) and e'#g. However, notice that this does not 
provide us with an effective procedure because the conflict sets can be infinite in general (see |[TTl0 . In 
Section [5] we shall show that e>e' can effectively be decided. 



Facets. Let us just note in passing that the strongly connected components of >, called facets in ifTTTl . 
form equivalence class of occurrence in the sense that any run ft) that contains any event of a facet must 
contain all of its events. In Figure[3j the decomposition of the occurrence net from Figure[2]into its facets 
is shown. The facets are {a,d,c,g}, {b,e,f}, {h}, {k}; the right hand side shows the occurrence net 
obtained by abstracting every facet into a single event. In general, quotienting an occurrence net into its 
facets and their boundary conditions yields an occurrence net whose set of maximal runs is in bijection 
with that of the initial occurrence net; this procedure (for details see ifTTI ) can reduce the model size for 
analyses of any properties regarding maximal behaviours. In Q], we focus on reduced nets, i.e. where 
the contraction of facets has been carried out, and every event is a facet; in this framework, behavioural 
properties can be specified in a dedicated logic ERL, for which the synthesis problem is solved in HI; the 
occurrence nets obtained in a canonical way from a logical formula belong to a distinguished subclass 
of reduced occurrence nets, the tight nets. For more traditional applications, the facet decomposition can 
in general yield fast sufficient criteria for verifying properties. Consider observability-related properties 
Petri nets (see UlCEl for a detailed discussion on diagnosability): if X : T — > A is a partial labelling in 
some alphabet A, how can one quickly decide whether some unobservable transition t - i.e. on which X is 
undefined - has occured? By pre-computing the reveals-relation and thus the facets on a sufficient finite 
prefix of the unfolding, online reasonings of the following type become available : If X is such that every 
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facet in which some instance of t occurs contains an occurrence of a distinctive label a that t free facets 
do not produce, then detection of a allows to infer occurrence of t with certainty. Given that the facet 
decomposition and contraction can be computed offline, see below, and reduces the size of unfoldings 
dramatically, such improvements are valuable in monitoring and supervising large distributed networks, 
in particular in telecommunications 0121 




Figure 3: Left: a prefix of the example from Fig. [2] with facets highlighted; right: the occurrence net 
obtained from the left hand one through facet abstraction 

3 A bound for deciding the reveals relation 

Let N = (P,T,F,Mo) be a safe Petri net, where P and T are finite, for the rest of the section, and let 
U = (C,E,G,Co) be its unfolding, where / is the mapping between U and N. 

In this section, we shall consider the following problem: Given two events x and y, does x reveal y? 
As pointed out in Lemma[TJ this requires to decide whether a witness exists. We shall show that the height 
of a witness is bounded, i.e. it suffices to search a finite prefix of U to find a witness. The existence of a 
finite bound, albeit a much higher one, was first pointed out in [11], and we start by re-stating that result. 

Definition 2 Associate to each event e a marking of N by taking M e := Mark{\e\). We shall define a 
sequence {Li)t>\ of sets of events, the so-called level-/ cutoffs, and a sequence of prefixes (JJi)t>\, the 
so-called level-/ prefixes. 

We let e G L\ if M e = Mq or there exists an event e' such that e' < e and M e > = M e . For i > 1, we 
let e G Li iff there exists an event e' G L,_i such that e' < e and M e > = M e . For i > 1, let L™ n be the 
<-minimal events ofL{. We let Uj := t/[Z/'], where L\ := U e eL rain \ e 1 ^ ^ e downward-closure o/L™ n . 

Intuitively, the prefix U\ contains all reachable markings and unrolls each loop in the Petri net exactly 
once; notice that the events L\ are exactly those events that return the net to a marking that was reached 
before. The prefix Ui unrolls each loop once more and so on. The following result is shown in ifTD : 

Theorem 1 Hll\l Let m be the the minimal index such that U m contains event x, and let n be the cor- 
responding index for y. Moreover, let Km be the number of reachable markings of the net N. Then, if 
->(x>y), there exists a witness in f/jc M + m ax{m,n}-i- 
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Km is guaranteed to be finite for safe nets, hence Theorem [T] establishes the decidability of >. 
However, Km is difficult to determine exactly and in general very large, not to mention the size of 
^/f M +max{m,«}-i ■ We shall see that this bound can be improved. Formalizing the discussion after LemmajTJ 
we define, for events x,y,z, the witness predicate wit(x,y,z)- 

vnt(x,y,z) :<^=^ (z#y) A ->(z#x). 

To prepare the main result, let us first define the height function 3^. Let O be an occurrence net and e 
one of its events. Then 

3?(e) ■= 1 + max Jtf(e'), where max© := 0. 
e'e'('e) 

We naturally extend the height function to finite prefixes of O: 

3?(0[E']):= max 3T(e) (1) 

eeE' 

Let M be a reachable marking of N and N(M) be the net (P,T,F,M), i.e. N with M as the initial 
marking. Moreover, let U M be the unfolding of N(M) and the analogous prefixes according to 
Definition^ Let K(M) := 3f{U^), and 

K := max K(M). (2) 

MeR(N) 

Lemma 2 The value ofK is bounded above by the height 3ff(U2) of the level-2 prefix ofN. 

Proof: We first show that U\ is a complete prefix. Indeed, in lfl3ll an event e is called a cut-off of U if 
M e = Mq or there exists an event e' such that M e > = M e and | [Y] | < | \e \ \ . It is shown in |[L3l that a prefix 
that contains all minimal cutoffs is complete. Evidently, e' < e implies | \e'~\ | < | \e] | and is a stronger 
condition, therefore our prefix U\ contains all such minimal cutoffs and is also complete. 

Let M G R(A0- By completeness of U\ , there exists a configuration ^ in U\ such that Mark^) = M. 
Now, by construction of XJi, the postfix Uzjcg contains an isomorphic copy of Uf. □ 

We now state the main result of this section: 
Theorem 2 Let N be a safe Petri net, U its unfolding, and let K as defined in (|2]). For any two events x,y 
such that -i(x>y), there exists an event z such that 

1. wit(;c,y,z) and 

2. 3f(z) <n + K, where n;=msx{M'(x),Jt {y)). 

Proof: The idea of the proof is illustrated in Figure [4] Let / be the mapping between Af and U. If 
-<(x>y) then some event z satisfying \rit(x,y,z) exists; it remains to determine the maximal height of z. 
If x#y, we are done immediately, taking z '■= x. Otherwise, ^ := \x~\U \y] is a configuration. Choose 
z 6 E such that vnt(x,y,z) holds, and such that z' < z implies -iwit^^z'). By assumption we have 
— i(x#z), thus ^ xz := \x] U [z| is also a configuration. Further, let u be such that u#z, and u < y and such 
that u' < u implies -<(u'#z)- We claim that 

tf uxz ■= [uJuMuLzJ 

is a configuration: if this were not the case, then there would be events e,e' E c to uxz such that e#e'. Since 
and ^ xz are configurations, it would follow w.l.o.g. that e E [u\ and e' E [z\, so e <u and e' < z. But 
then e#z and e' #y, both of which contradicts the minimality assumptions on u and z. We thus have 

and ^ uxz ^ . (3) 
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Figure 4: Rough sketch of the proof of Theorem [2j there exists a condition b in the preset of both u and 
z; moreover, u < y and n = max(Jf (x), J$?(y)). From e if uxz we construct the smaller configuration c €. 

For = max{jr(x), J^(y)}, let := {« £ -jf"« | Jf («) < n}. Then a; G and Suppose 
that z satisfies Jif(z) > n + K. Then the choice of K implies the existence of two distinct configurations 
^1,^2 of U such that 

1. ^Ctfi C«2 

2. JT(^i) <jr(^ 2 ),and 

3. Marki^x) =Mark( < tf 2 )- 

In fact, Marfc(^i) = Marki^j) implies that U and U /<^ 2 are isomorphic, and there exist sets A\, 

A 2 with f(Ai) = f(A 2 ) such that ^ 2 ^ ^" tz and <*fi & for some <*f. Now, Marki^) = Mark{^ uxz ), so 
there exists an event e such that /(e) = f(z), J^(e) < Jt?(z), and Thus, <^U{e} is a configuration 
containing both x and e, so -i(jc#e). 

From w#z and Q it follows that u and z compete directly for a token, i.e. there exists a condition & G 
*u n "z. Since /(e) = /(z), there must be G *e with /(£>') = f{b). Now, bcob' cannot hold because 
N is safe. Suppose b#b' . But then there must exist two events u' ^ e' such that u' < b and e' < b' and 
'u' n 'e' ^ 0. By definition, & contains [u\ and enables e, so Z? and b' must both be contained in the 
prefix U\€\, so u',e' G but, being a configuration, ^ cannot contain two conflicting events. The only 
possibilities left are b = b', b < b', or b' < b, and in all cases we obtain e#u and therefore e#y. 

We thus obtain v/it(x,y,e), and the height of e is strictly less than that of z. Either Jf?(e) <n + K, 
and we are done; or we replace z by e and repeat the surgery above, obtain another witness with strictly 
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lesser height etc, until we end up with a witness that has the desired height. □ 
Theorernp]in connection with Lemma [2] implies that for any pair x,y of concurrent events, it suffices 
to inspect U 2 " to determine whether x>y, where M xy := M( \x] U \y\). Notice that this bound is much 
lower than the one given by Theorem [TJ in fact, contrary to the previous bound it provides hope to 
actually compute the relation. 

The reader will observe that in the proof of Theorem [2] we exploit the fact that a suffix of t W^ xz with 
height K contains two marking-equivalent causally related events. To find two such events, it actually 
suffices to search an isomorphic copy of the level- 1 prefix starting at the marking associated with c €^ xz - 
It is thus tempting to think that Lemma [2] unfolds "one level too much". However, for a given candidate 
z as witness for x and y, there may be many possible events u for which one would have to search the 
suffix of ! ^ az , therefore limiting the candidates in this manner would not at all be straightforward. The 
value of Lemma[2]is in bounding the set of candidates for z in a simple, effective manner. 



4 Algorithms for computing the reveals relation 



In this section, we exploit the results of Sections [2] and [3] to exhibit two concrete algorithms for deter- 



mining the reveals relation. The main contribution is in Section 4.1 where we show how to compute the 



relation between all events in a given prefix. In Section 4.2 we discuss the question how to decide x>y 
for a single pair^,j. 



4.1 Computing reveals on a given prefix 

For the rest of this section, let us fix a finite occurrence net O, which should be a finite prefix of some 
safe Petri net, where E is the set of events. We are going to compute the relation t> between all pairs in E. 

An algorithm for this purpose can be useful if either the underlying net is free of loops (and hence 
the unfolding is finite), or if one wants to compute the relation for all events of height up to n (in which 
case the prefix should contain the events of height n + K). 

Our algorithm consists of three passes over the occurrence net that compute, in turn, the causality 
relation <, the conflict relation #, and finally the reveals relation >. We assume that events in E are 
available in topologically sorted order, i.e. an order -< where e < e' implies e -< e'. Such an order can 
be easily established while scanning O: e.g., one first identifies the minimal conditions (those having no 
incoming arcs) and then traverses the unfolding with a standard worklist algorithm. 

For the three passes that compute <, #, and >, we exploit certain causal inheritance properties. It 
turns out that most operations can be implemented with simple bitset operations. 

1. In the first pass, we compute for each event e a set of events post(e) := {e' \ e < e'} containing 
its successors (and e itself). Initially, that set is empty for all e; we then traverse E in inverse 
topological order, exploiting the fact that the causal relationship is obviously transitive: e < e' iff 
e = e' or there exists e" such that e" G (e*)' and e" < e'. 

2. In the second pass, we compute for each event e the set conf[e) := {e' \ e#e'}, i.e., the set of 
events with which e is in conflict. Here, we exploit that the conflict relation is inherited by causal 
successors: e#e' iff 'eH'e' / or there exists /,/' such that f<e,f'< e', and 'fn'f / 0. We 
traverse E in topological order; each event e inherits the conflicts of its (direct) causal predecessors 
and obtains new conflicts with the set post(e') for all events e' with which it directly competes for 
some condition. 
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3. In the third pass, we finally compute a set rev(e) for each event e such that rev(e) := {e' \ e>e'}. 
Here, we mainly exploit two facts: e cannot reveal any events with which it is in conflict, and it 
reveals all events revealed by its causal predecessors: if e"oe' and e" < e, then e>e'. We thus 
traverse E in topological order; at each event, all known conflicts are discarded, and events from 
direct causal predecessors inherited. This leaves some events e' for which the status is unknown 
(concurrent events and causal successors), and for these we check directly whether conf(e) D 
conf(e') (compare Lemma[T|). 

Algorithm 1 Computing the reveals relation 

post(e) :— {<?}; conf(e) := 0; rev(e) := {e} for all e G E 
for all e € E in inverse ^-order do 

for all e' G e" do 

post(e) :— post(e) U post{e') 

end for 
end for 

for all e e E in -< -order do 
for all e'e"e do 

conf(e) := conf(e) U conf(e') 
end for 

for alle's.t. VnV^0do 

conf(e) := conf(e) U post(e') 
end for 
end for 

for all e e E in -< -order do 
for all e' e "e do 

rev(e) := rev(e) Urev(e') 
end for 

E' :=E\ (rev(e) U conf(e)); 
for all e' e £' do 

if rev(e) 3 rev(e') then 

rev(e) := rev(e) U {e'} 
end if 
end for 
end for 

Figure [I] shows a version of the algorithm in pseudo-code. Notice that if post(-), conf(-), and rev(-) 
are stored as bitsets (containing one bit for every event in E), then almost all operations can be imple- 
mented using basic logical operations on bitsets. In the first two passes, the number of such operations 
is bounded by the number of arcs in U. In the third pass, the number of operations is bounded by the 
pairs (e,e') such that e' ^ (rev(e) Uconf(e)), that is by \E\ in the worst case. However, it turns out that 
in most cases the number of such checks is comparatively small. 



4.2 Computing reveals for a single pair 

We briefly discuss the question of how to decide x>y for a single pair of events x,y. If one is interested 
in individual pairs, such a procedure may well be more efficient than the one from Section 4. 1 because it 
allows to limit the events one has to consider. 

Assume that x,y are events of some unfolding U, of which at least the prefix \x] U \y] is known. (We 
assume that neither x#y nor x > y hold, otherwise the solution is trivial.) Denote by #fi\y] := {z \ z G 
#\y] A Vz' : (z' < z — > z' ^ #[y] } the set of <-minimal conflicts of y, its so-called root conflicts. Due to 
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results from ifTTTl we know that x>y iff #[x] D #^\y]- To find a witness, it suffices therefore to find an 
event z that is not in conflict with x, but a root conflict of y; the latter implies that *z n 7^ 0. 

We propose the following: First, mark the conditions in \y\ as 'goals'. Secondly, mark all conditions 
and places in conflict with x as 'useless' (they cannot produce a witness), as well as all elements of \x\ 
(which can equally not produce a witness by assumption). One then regards the remaining non-'useless' 
events up to the height given by Lemma [2| either by unfolding them on-the-fly or by following them on 
a pre-computed prefix. A witness is found if one such 'non-useless' events consumes a 'goal' condition. 

5 Experiments 

We implemented the theoretical and algorithmical results of the preceding sections and evaluated them 
experimentally. The problems we wanted to address were the following: 

• What is the value of K (as given by Lemma [2]) for medium-sized nets? 

• Provided a prefix is available, how efficiently can one determine >, using Algorithm [T]? 

As inputs, we chose the safe Petri net examples supplied by the PEP tool [8]. Table [T] provides 
some statistics on the nets we used, such as the number of places and transitions, as well as the bound K 
according to Lemma[2]for each particular net. We obtained K by modifying the Mole unfolding tool fPTll . 
Normally, Mole is used to compute finite complete prefixes; for our experiments, we modified its cutoff 
criterion so that it would compute the unfolding prefix U2. We also give the time, in seconds, to compute 
the said prefix in the rightmost column. 

Table 1 : Net statistics and computation of K 



Petri net 


1*1 


\T\ 


K Time/s 


buflOO 


200 


101 


201 


2.1 


elevator 


59 


74 


80 


0.3 


gas _station 


30 


18 


18 


0.1 


mutual 


62 


67 




t/o 


parrow 


77 


54 


91 


1.6 


peterson 


27 


31 


34 


0.1 


reader_writerJ2 


53 


60 


29 


2.3 


sdLarq_deadlock 


202 


183 


37 


0.1 


sdLarq 


208 


234 


129 


0.2 


sdLexample 


323 


471 


71 


0.1 


sem 


26 


25 


35 


0.1 



To make the experiments more interesting, we excluded non-cyclic examples, where K would be ob- 
vious. For the rest, the computation of K succeeded except in one case (mutual, more than 10 minutes). 
To give some indications, the size of a complete prefix in these cases was between several dozen and a 
few thousand events, whereas the size of U2 was between several hundred and several ten thousands of 
events. By contrast, the computation of K failed for another set of larger benchmarks provided by Mole, 
whose complete prefixes already have a size of 10,000 and more events. 

To answer the second question, we implemented Algorithm [T] in Java. Our program took a pre- 
computed prefix and computed the relation > on it, using the BitSet class for most operations. The 
results are summarized in Table [2| As one can see, the algorithm works well even for several tens of 
thousands of events, usually computing the relation in a matter of seconds. 
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We detail the time for the three passes of the algorithm (all times are in seconds); in almost each 
case, we have the same ordering of computation times. The computation of the causal relation (post) 
takes hardly significant time, the second pass for the computation of the conflict relation {conf) takes a 
little more time, and the third pass for the computation of the reveals relation {rev) slightly dominates the 
computation time. 



Table 2: Running times of Algorithm [T] 



Petri net 


Events 


post 


conf 


rev 






(Time/s) (Time/s) (Time/s) 


bds_l.sync 


12900 


0.13 


0.19 


0.30 


buflOO 


17700 


0.17 


0.12 


0.25 


byzagr4_lb 


14724 


0.18 


0.19 


0.68 


dpd_7.sync 


10457 


0.11 


0.15 


0.24 


dph_7. dimes 


37272 


0.56 


0.91 


2.10 


elevator75 


234879 


15.84 


22.58 


97.47 


elevator 


5586 


0.05 


0.05 


0.13 


elevator_4 


16856 


0.17 


0.27 


0.38 


fifo20 


100696 


2.92 


3.72 


22.88 


ftp_l.sync 


83889 


2.08 


3.61 


6.78 


1 Lll llu.CC _ «_J 


?5394 


0.29 


0.47 


0.95 


gas _station 


2861 


0.01 


0.01 


0.01 


key_4.fsa 


67954 


1.40 


2.19 


4.62 


parrow 


85869 


2.47 


4.17 


9.51 


peterson 


72829 


1.60 


2.54 


5.23 


q_l .sync 


10722 


0.11 


0.15 


0.30 


q-i ' 


7469 


0.08 


0.09 


0.17 


reader_writerJ2 


20229 


0.24 


0.37 


0.53 


rw_12.sync 


98361 


2.36 


5.14 


6.36 


rw_12 


49179 


0.68 


1.25 


1.70 


rw_lw3r 


15401 


0.15 


0.22 


0.50 


rwJZwlr 


9241 


0.10 


0.11 


0.25 


sdLarq 


2691 


0.03 


0.03 


0.09 


sem 


19689 


0.20 


0.23 


0.61 



6 Conclusion 

We presented theoretical and algorithmic contributions towards the computation of the reveals relation. 
The analysis in ifTTTl had only provided the proof that a>b could be decided on some bounded prefix 
of the unfolding; but the bound (see Theorem [TJ was prohibitively large, and an efficient procedure for 
computing > was lacking. The present paper closes this theoretical and practical gap. Our results show 
that with a suitable cutoff-criterion, the complete finite prefix JJi is sufficient to obtain the ^-relation on 
U\. Moreover, an efficient algorithm for computing > on finite occurrence nets has been proposed and 
tested; the experimental results clearly show that > can be obtained and used in practice. 

The theory of reveals can be further developed in the lines of fH, where a dedicated logic (called 
ERL) is introduced for expressing generalized reveals relation of the form "if all events from set A occur, 
then at least one event from set B must eventually occur", and the problem of synthesizing occurrence 
nets from ERL formulas is solved. The study of further variants of logics for concurrency in the light of 
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the recent results has only just begun. 

In addition, we intend to extend reveals-based analysis to other Petri net classes such as Time nets 
and contextual nets, and to exploit it in applications that include diagnosis and testing. 
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